Skip to main content

Arqit Symmetric Key Agreement Platform EUVDEUVD-2026-30113

| CVE-2026-33583 HIGH
Exposed Dangerous Method or Function (CWE-749)
2026-05-13 ENISA GHSA-p8mh-jv2c-p65g
8.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 08:54 vuln.today
Patch available
May 13, 2026 - 20:02 EUVD

DescriptionCVE.org

Exposure of the QKEY (used as input into the ‘OTA-Quantum’ device registration process) and internal system keys via an unauthenticated and unencrypted HTTP GET method in the Arqit Symmetric Key Agreement Platform.

This issue affects Symmetric Key Agreement Platform: before 26.03.

AnalysisAI

Sensitive key material disclosure in Arqit Symmetric Key Agreement Platform versions before 26.03 allows remote unauthenticated attackers to retrieve the QKEY (a critical input to the OTA-Quantum device registration process) along with internal system keys via a plain HTTP GET request. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.03%), but the high CVSS of 8.7 with scope-change reflects the severe downstream cryptographic compromise possible once these keys leak. A vendor patch is available in version 26.03.

Technical ContextAI

The Arqit Symmetric Key Agreement (SKA) Platform underpins the company's quantum-safe symmetric keying service, distributing shared cryptographic material to endpoints that participate in the 'OTA-Quantum' registration and key-agreement flow. The QKEY identified in this CVE is a seed/input value bound to that registration process, meaning its disclosure undermines the trust anchor for derived session keys. The CWE-749 mapping (Exposed Dangerous Method or Function) indicates the root cause is a sensitive management or retrieval endpoint left reachable over an unauthenticated, unencrypted HTTP channel - an interface that should have required mutual authentication, TLS, and authorization. CPE coverage (cpe:2.3:a:arqit:symmetric_key_agreement_platform) confirms a single affected product line rather than a downstream integration issue.

RemediationAI

Upgrade the Arqit Symmetric Key Agreement Platform to version 26.03 or later - vendor-released patch is available per advisory data; consult the CVCN and EUVD references (https://www.cvcn.gov.it/cvcn/cve/CVE-2026-33583, https://nvd.nist.gov/vuln/detail/CVE-2026-33583) for vendor-specific upgrade guidance. Because QKEY and internal system keys may have been exposed, after patching also rotate any keys generated or distributed by the platform and re-register affected OTA-Quantum devices to invalidate material that could have been harvested. As compensating controls until patching, restrict network reachability of the SKA Platform's HTTP management interface to an isolated administrative VLAN or jump host, place it behind a reverse proxy that enforces mutual TLS and authentication, and block inbound port 80 to the platform at the perimeter - note that doing so will break any legitimate integrations currently relying on the plaintext endpoint, so inventory dependent clients first. Monitoring HTTP access logs on the platform for GET requests targeting key-retrieval paths is a useful detection layer while remediation is in flight.

Share

EUVD-2026-30113 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy